CSP - extract all other inline JavaScripts (#6528)

* wizard page inline js * print topic inline js * drop JS for preventing double submission this is the default behavior with Rails' UJS `disable_with` helper * omniauth complete redirect JS * account activate inline js
2018-10-25 09:52:01 -04:00 · 2018-10-25 09:52:01 -04:00 · a6eca28ec6
parent 56e0f47bcd
commit a6eca28ec6
14 changed files with 71 additions and 63 deletions
--- a/app/assets/javascripts/activate-account.js.no-module.es6
+++ b/app/assets/javascripts/activate-account.js.no-module.es6
@ -0,0 +1,24 @@
+(function() {
+  setTimeout(function() {
+    const $activateButton = $("#activate-account-button");
+    $activateButton.on("click", function() {
+      $activateButton.prop("disabled", true);
+      const hpPath = document.getElementById("data-activate-account").dataset
+        .path;
+      $.ajax(hpPath)
+        .then(function(hp) {
+          $("#password_confirmation").val(hp.value);
+          $("#challenge").val(
+            hp.challenge
+              .split("")
+              .reverse()
+              .join("")
+          );
+          $("#activate-account-form").submit();
+        })
+        .fail(function() {
+          $activateButton.prop("disabled", false);
+        });
+    });
+  }, 50);
+})();
--- a/app/assets/javascripts/auto-redirect.js.no-module.es6
+++ b/app/assets/javascripts/auto-redirect.js.no-module.es6
@ -0,0 +1,6 @@
+(function() {
+  const path = document.getElementById("data-auto-redirect").dataset.path;
+  setTimeout(function() {
+    window.location.href = path;
+  }, 2000);
+})();
--- a/app/assets/javascripts/omniauth-complete.js.no-module.es6
+++ b/app/assets/javascripts/omniauth-complete.js.no-module.es6
@ -0,0 +1,14 @@
+(function() {
+  const { authResult, baseUrl } = document.getElementById(
+    "data-auth-result"
+  ).dataset;
+  const parsedAuthResult = JSON.parse(authResult);
+
+  if (!window.opener) {
+    localStorage.setItem("lastAuthResult", authResult);
+    window.location.href = `${baseUrl}?authComplete=true`;
+  } else {
+    window.opener.Discourse.authenticationComplete(parsedAuthResult);
+    window.close();
+  }
+})();
--- a/app/assets/javascripts/print-page.js
+++ b/app/assets/javascripts/print-page.js
@ -0,0 +1,3 @@
+document.addEventListener("DOMContentLoaded", function() {
+  window.print();
+});
--- a/app/assets/javascripts/wizard-start.js.no-module.es6
+++ b/app/assets/javascripts/wizard-start.js.no-module.es6
@ -0,0 +1,4 @@
+(function() {
+  var wizard = require("wizard/wizard").default.create();
+  wizard.start();
+})();
--- a/app/views/topics/show.html.erb
+++ b/app/views/topics/show.html.erb
@ -110,10 +110,6 @@
          color: #0088cc !important;
        }
      </style>
-      <script>
-        document.addEventListener("DOMContentLoaded", function() {
-          window.print();
-        });
-      </script>
+      <%= preload_script('print-page') %>
  <% end %>
 <% end %>
--- a/app/views/user_api_keys/new.html.erb
+++ b/app/views/user_api_keys/new.html.erb
@ -28,20 +28,8 @@
  <%= hidden_field_tag 'push_url', @push_url %>
  <%= hidden_field_tag 'public_key', @public_key%>
  <%= hidden_field_tag 'scopes', @scopes%>
-  <%= submit_tag t('user_api_key.authorize'), class: 'btn btn-danger', id: 'submit' %>
+  <%= submit_tag t('user_api_key.authorize'), class: 'btn btn-danger' %>
 <% end %>
-<script>
-  window.__submitted = false;
-
-  // prevent double submission which would invalidate the nonce
-  document.getElementById('submit').addEventListener('click', function(e){
-    if (window.__submitted) {
-      e.preventDefault();
-    } else {
-      window.__submitted = true;
-    }
-  });
-</script>
 </div>
 <% end %>

--- a/app/views/users/_auto_redirect_home.html.erb
+++ b/app/views/users/_auto_redirect_home.html.erb
@ -1,7 +0,0 @@
-<script language="javascript">
-  (function() {
-    setTimeout(function() {
-      window.location.href = '<%= path("/") %>';
-    }, 2000);
-  })();
-</script>
--- a/app/views/users/activate_account.html.erb
+++ b/app/views/users/activate_account.html.erb
@ -13,22 +13,7 @@
  <%= preload_script "ember_jquery" %>
  <%= preload_script "vendor" %>
  <%= render_google_universal_analytics_code %>
+  <%= tag.meta id: 'data-activate-account', data: { path: path('/u/hp') } %>
 <%- end %>

-<script language="javascript">
-  (function() {
-    setTimeout(function() {
-      var $activateButton = $('#activate-account-button');
-      $activateButton.on('click', function() {
-        $activateButton.prop('disabled', true);
-        $.ajax("<%= path "/u/hp" %>").then(function(hp) {
-          $('#password_confirmation').val(hp.value);
-          $('#challenge').val(hp.challenge.split("").reverse().join(""));
-          $('#activate-account-form').submit();
-        }).fail(function() {
-          $activateButton.prop('disabled', false);
-        });
-      });
-    }, 50);
-  })();
-</script>
+<%= preload_script "activate-account" %>
--- a/app/views/users/omniauth_callbacks/complete.html.erb
+++ b/app/views/users/omniauth_callbacks/complete.html.erb
@ -15,6 +15,11 @@
      border-bottom-color: #999;
    }
  </style>
+  <%= tag.meta id: 'data-auth-result', data: {
+    auth_result: @auth_result.to_client_hash,
+    base_url: Discourse.base_url
+  } %>
+  <%= preload_script('omniauth-complete') %>
 </head>

 <body>
@ -23,18 +28,6 @@
      <%=t "login.auth_complete" %>
      <a href="<%= Discourse.base_url.html_safe %>?authComplete=true"><%= t("login.click_to_continue") %></a>
    </p>
-
-    <script type="text/javascript">
-       var authResult = <%=@auth_result.to_client_hash.to_json.html_safe%>;
-
-       if (!window.opener) {
-         localStorage.setItem('lastAuthResult', JSON.stringify(authResult));
-         window.location.href = '<%= Discourse.base_url.html_safe %>?authComplete=true';
-       } else {
-         window.opener.Discourse.authenticationComplete(authResult);
-         window.close();
-       }
-    </script>
  </div>
 </body>
 </html>
--- a/app/views/users/perform_account_activation.html.erb
+++ b/app/views/users/perform_account_activation.html.erb
@ -13,7 +13,10 @@
    <% else %>
      <p><%= t('activation.please_continue') %></p>
      <p><a class="btn" href="<%= path "/" %>"><%= t('activation.continue_button', site_name: SiteSetting.title) -%></a></p>
-      <%= render partial: 'auto_redirect_home' %>
+      <%- content_for(:no_ember_head) do %>
+        <%= tag.meta id: 'data-auto-redirect', data: { path: path('/') } %>
+      <%- end %>
+      <%= preload_script 'auto-redirect' %>
    <% end %>
  <%end%>
 </div>
--- a/app/views/wizard/index.html.erb
+++ b/app/views/wizard/index.html.erb
@ -17,12 +17,6 @@

  <body class='wizard'>
    <div id='wizard-main'></div>
-
-    <script>
-      (function() {
-        var wizard = require('wizard/wizard').default.create();
-        wizard.start();
-      })();
-    </script>
+    <%= preload_script 'wizard-start' %>
  </body>
 </html>
--- a/config/application.rb
+++ b/config/application.rb
@ -121,6 +121,11 @@ module Discourse
      google-universal-analytics.js
      preload-application-data.js
      authentication-complete.js
+      print-page.js
+      omniauth-complete.js
+      activate-account.js
+      auto-redirect.js
+      wizard-start.js
    }

    # Precompile all available locales
--- a/spec/views/omniauth_callbacks/complete.html.erb_spec.rb
+++ b/spec/views/omniauth_callbacks/complete.html.erb_spec.rb
@ -6,7 +6,7 @@ require_dependency "auth/result"
 describe "users/omniauth_callbacks/complete.html.erb" do

  let :rendered_data do
-    JSON.parse(rendered.match(/var authResult = (.*);/)[1])
+    JSON.parse(rendered.match(/data-auth-result="([^"]*)"/)[1].gsub('&quot;', '"'))
  end

  it "renders auth info" do